Threat actors are exploiting CVE-2026-26980 in Ghost CMS to steal admin API keys, inject malicious JavaScript, and fuel large-scale ClickFix attacks across more than 700 compromised websites. The campaign uses cloaking, fake CAPTCHA pages, and multiple loaders to deliver payloads and eventually drop Windows malware, including a modified Grape desktop client and a signed PuTTY binary. #GhostCMS #CVE-2026-26980 #ClickFix #Adspect #Grape #PuTTY
Keypoints
- CVE-2026-26980 in Ghost CMS enables unauthenticated SQL injection through the Content API.
- Attackers use the flaw to steal admin API keys and tamper with published articles.
- Malicious JavaScript loaders are injected into compromised sites to support fake CAPTCHA attacks.
- The campaign has affected more than 700 websites across universities, media, fintech, and other sectors.
- The malware chain uses cloaking, PowerShell, DLLs, JavaScript payloads, and a modified Grape client for persistence.
Read More: https://thehackernews.com/2026/05/ghost-cms-cve-2026-26980-exploited-to.html